1 / 19

Information Flow

Information Flow. CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 22, 2004. Overview. Information Flow Models Confinement Flow Model Compiler-Based Mechanisms. Bell-LaPadula Model. Information flows from A to B iff B dom A. TS{R,P}. TS{P}. TS{R}. S{R}. S{P}. S{}.

dava
Download Presentation

Information Flow

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Flow CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 22, 2004

  2. Overview • Information Flow Models • Confinement Flow Model • Compiler-Based Mechanisms

  3. Bell-LaPadula Model • Information flows from A to B iff B dom A TS{R,P} TS{P} TS{R} S{R} S{P} S{}

  4. Entropy-Based Analysis • Command sequence takes a system from state s to state t • xs is the value of x at state s • H(a | b) is the uncertainty of a given b • Def: A command sequence causes a flow of information from x to y if H(xs | yt) < H(xs | ys). If y does not exist in s, then H(xs | ys) = H(xs)

  5. Example Flows y := x H(xs | yt) = 0 tmp := x; y := tmp; H(xs | yt) = 0

  6. Another Example if (x==1) then y:= 0 else y := 1 Suppose x is equally likely to be 0 or 1, soH(xs) = 1 But, H(xs | yt) = 0 So, H(xs | yt) < H(xs | ys) = H(xs) Thus, information flows from x to y. Def. An implicit flow of information occurs when information flows from x to y without an explicit assignment of the form y := f(x)

  7. Requirements for Information Flow Models • Reflexivity: information should flow freely among members of a class • Transitivity: If b reads something from c and saves it, and if a reads from b, then a can read from c A lattice has a relation R that is reflexive and transitive (and antisymmetric)

  8. Information Flow Models • An Information flow policy I is a triple I = (SCI, I, joinI), where SCI is a set of security classes, I is an ordering relation on the elements of SCI, and joinI combines two elements of SCI • Example: Bell-LaPadula has security compartments for SCI, dom for I and lub as joinI

  9. Confinement Flow Model • Associate with each object x a security class x • Def: The confinement flow model is a 4-tuple (I, O, confine, ) in which • I = (SCI, I, join I) is a lattice-based info. flow policy • O is a set of entities •  : O  O is a relation with (a, b)  iff information can flow from a to b • for each a  O, confine(a) is a pair (aL, aU)  SCI SCI, with aLIaU • if x  aU then information can flow from x to a • if aL x the information can flow from a to x

  10. Example Confinement Model Let a, b, and c  O confine(a) = [ CONFIDENTIAL, CONFIDENTIAL] confine(b) = [SECRET, SECRET] confine(c) = [TOPSECRET, TOPSECRET] Then a  b, a  c, and b  c are the legal flows

  11. Another Example Let a, b, and c  O confine(a) = [ CONFIDENTIAL, CONFIDENTIAL] confine(b) = [SECRET, SECRET] confine(c) = [CONFIDENTIAL, TOPSECRET] Then a  b, a  c, b  c, and c  a are the legal flows Note that b  c and c  a, but information cannot flow from b to a because bLIaU is false So, transitivity fails to hold

  12. Non-LatticeInformation Flow Policies Government agency has public relation officers (PRO), analysts (A), and spymasters (S) 4 classifications of data: public  analysis, public  covert analysis  top-level, covert  top-level confine(PRO) = [public, analysis] confine(A) = [analysis, top-level] confine(S) = [covert, top-level] PRO  A, A  PRO, PRO  S, A  S, and S  A

  13. Complier-Based Mechanisms • Assignment statements • Compound statements • Conditional statements • Iterative statements

  14. Assignment Statements y := f(x1, ..., xn) Requirement for information flow to be secure is: lub {x1, ..., xn} y Example: x := y + z; lub{y, z} x

  15. Compound Statements begin S1; ... Sn; end; Requirement for information flow to be secure: S1 secure AND ... AND Sn secure

  16. Conditional Statements if f(x1, ..., xn) then S1; else S2; end; Requirement for information flow to be secure: S1 secure AND S2 secure AND lub{x1, ..., xn}  glb{y | y is the target of an assignment in S1 or S2}

  17. Example Conditional Statement if x + y < z then a := b; else d := b * c - x; end; ba for S1 lub{b, c, x} d for S2 lub{x, y, z}  glb{a, d} for condition

  18. Iterative Statements while f(x1, ..., xn) do S; Requirement for information flow to be secure: Iteration terminates S secure lub{x1, ..., xn}  glb{y | y is the target of an assignment in S}

  19. Example Iteration Statement while i < n do begin a[i] := b[i]; i := i + 1; end; Loop terminates i a[i] AND b[i]a[i] for S1 lub{i, b[i]} a[i] for compound statement lub{b[i], i, n}  glb{a[i], i} for while condition

More Related